You are on page 1of 5

FSMO Roles

FSMO: Flexible single Mater Operations. The terminology FSMO was given in Windows 2000 by Microsoft, but in Windows 2003 it is called Operations Master. However the features and its functionality remain same in windows 2003 and most people still call it FSMO. FSMO is divided into two categories: Forest Wide Role Domain Wide Role Forest Wide Role is further divided into two categories: Schema Master Domain Naming Master Domain Wide Role is further divided into Three categories: RID Master Infrastructural Master PDC Emulator -----------------------------------------------------------------------------------------------------------

Schema Master:
Schema consists of information about the object and its attributes. For example: Object is the name of the employee and attributes is the employee ID. In a Forest there can be only one Schema Master. Schema Master domain controller is the one which has full Read and Write permission in a domain as compared to other AD Schema files which just has the read permissions. If any changes has to be made in Schema it has to be made in Schema Master domain controller which is then replicated to other AD servers schema in the Forest. Each AD has schema file and is located at Ntds.dit file. This file is divided into three parts: D: Domain C: Configuration S: Schema

Command: adsiedit.msc (This is an advanced level command)

-----------------------------------------------------------------------------------------------------------

Domain Naming Master:


This is responsible to keep the records of all the Names in the network, which includes Domain names, users, printers and other objects in the Domain. It is used to get the information of the names in the forest. If you give a name to a new AD or any other machines, if the same name is already given to some other machine then you receive the error. There can only be one Domain Naming Master in entire forest. -----------------------------------------------------------------------------------------------------------

PDC Emulator: (PDC: Primary Domain Controller) Backward Compatibility:


When in NT scenario Active Directory is introduced we will face the following issue: In NT there is a PDC (Primary Domain Controller) and the other entire server is BDC (Backup Domain Controller). PDC functionality is to replicate all its required data to BDC, Now if a AD is included in this scenario and as AD has the same functionality that of PDC that of sharing information but also has additional feature of accepting information as well then there would be an issue of data replication. i.e. AD will take data from PDC but PDC will not take data from AD as its function is just to send data and not to receive any data. To overcome this issue Microsoft has introduced PDC Emulator, The first server which is installed in the network is by default a PDC Emulator, however this roles can later be changed as per requirement to other serves. When a PDC Emulator is installed in the NT Scenario it by default changes the PDC server into BDC which would now just receive data instead of sending it and hence creating an AD scenario in which all servers can now send and receive informations.

Time synchronization:
This is responsible to keep a track on time settings of the entire server and other client machines in the network.

If a time settings on any of the machine is not set correctly set then it forcefully changes the time as it is very critical when it comes to synchronization of some informations with the network. For example there is a replication time set on the servers and if the time which is set on the server is not correct then the synchronization will not happen. To avoid this issue PDC Emulator keeps an eye on all the machines time settings in its network. For the PDC Emulator to set and synchronize time on other servers it is important that the time is correctly set on the PDC Emulator server. Hence if internet is present on the PDC Emulator server it is then linked with NTP (Network Time Protocol). This will automatically keep Time on the PDC Emulator server up to date.

Password changes are updated on PDC Emulator:


When there is a password change made in any of the machines it is first replicated to PDC Emulator which then reflects to other ADC as per scheduled. For example there is a scheduled replication time set on the servers and if password change is made by any of the users in between this schedule time then this information is first send to PDC Emulator no matter what is the schedule replication time. So if a password change is made PDC Emulator will first have the all the details of the password changes. Hence if a user logs into a domain and the required ADC do not have the user information then it first consult the PDC Emulator server for the informations. -----------------------------------------------------------------------------------------------------------

RID Master: (Relative Identifier)


RID master assigns a pool of RIDs to the DC and ADCs on the network so that they can also assign a different IDs to the account created without conflict. For Example: DC ADC1 ADC2

In this case if accounts are created and the SID given are same in all the servers i.e. Range (0-100), then there would be a conflict. To avoid this different range is given to different servers. When you create an account on the server RID is responsible to give allocated SID to an account which would best describe account information. Each ADC is allocated a RID which has a pool of SID which it assigns to each users created. For Example: When a user is created it is given the following details: (S-1-5-21) ( ) ( ) ---- RID (This is where Microsoft no. Domain details user information admin given details Come into picture) I.e. account created Run command: whoami /user -----------------------------------------------------------------------------------------------------------

Infrastructural Master:
Functions of Infrastructural Master is to update all the other ADC on its Domain with the updates such as [password change, any modifications done] Cross Domain group information is stores in IM. For Example: If a user joins a group which is in different domain then the information about both the users and the group is stored in IM of both the domains. Each Domain has its Infrastructural Domain. --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Groups are created for the managements convenience, If 100 users need to access a particular folder, by creating a group we can provide the access to that particular group instead of giving this access to each of 100 users. -----------------------------------------------------------------------------------------------------------

To search Schema on your network: Go to -------Run-----cmd -------Mmc----Add remove snap in--------Add Schema And then you can find the details of the Schema.

OR CMD-----------netdom query fsmo